22408d58a4
We use two programs to check that the new reuseport logic is executed appropriately. The first is a TC clsact program which bpf_sk_assigns the skb to a UDP or TCP socket created by user space. Since the test communicates via lo we see both directions of packets in the eBPF. Traffic ingressing to the reuseport socket is identified by looking at the destination port. For TCP, we additionally need to make sure that we only assign the initial SYN packets towards our listening socket. The network stack then creates a request socket which transitions to ESTABLISHED after the 3WHS. The second is a reuseport program which shares the fact that it has been executed with user space. This tells us that the delayed lookup mechanism is working. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Co-developed-by: Lorenz Bauer <lmb@isovalent.com> Signed-off-by: Lorenz Bauer <lmb@isovalent.com> Cc: Joe Stringer <joe@cilium.io> Link: https://lore.kernel.org/r/20230720-so-reuseport-v6-8-7021b683cdae@isovalent.com Signed-off-by: Martin KaFai Lau <martin.lau@kernel.org>
142 lines
3.2 KiB
C
142 lines
3.2 KiB
C
// SPDX-License-Identifier: GPL-2.0
|
|
/* Copyright (c) 2023 Isovalent */
|
|
#include <stdbool.h>
|
|
#include <linux/bpf.h>
|
|
#include <linux/if_ether.h>
|
|
#include <linux/in.h>
|
|
#include <linux/ip.h>
|
|
#include <linux/ipv6.h>
|
|
#include <linux/tcp.h>
|
|
#include <linux/udp.h>
|
|
#include <bpf/bpf_endian.h>
|
|
#include <bpf/bpf_helpers.h>
|
|
#include <linux/pkt_cls.h>
|
|
|
|
char LICENSE[] SEC("license") = "GPL";
|
|
|
|
__u64 sk_cookie_seen;
|
|
__u64 reuseport_executed;
|
|
union {
|
|
struct tcphdr tcp;
|
|
struct udphdr udp;
|
|
} headers;
|
|
|
|
const volatile __u16 dest_port;
|
|
|
|
struct {
|
|
__uint(type, BPF_MAP_TYPE_SOCKMAP);
|
|
__uint(max_entries, 1);
|
|
__type(key, __u32);
|
|
__type(value, __u64);
|
|
} sk_map SEC(".maps");
|
|
|
|
SEC("sk_reuseport")
|
|
int reuse_accept(struct sk_reuseport_md *ctx)
|
|
{
|
|
reuseport_executed++;
|
|
|
|
if (ctx->ip_protocol == IPPROTO_TCP) {
|
|
if (ctx->data + sizeof(headers.tcp) > ctx->data_end)
|
|
return SK_DROP;
|
|
|
|
if (__builtin_memcmp(&headers.tcp, ctx->data, sizeof(headers.tcp)) != 0)
|
|
return SK_DROP;
|
|
} else if (ctx->ip_protocol == IPPROTO_UDP) {
|
|
if (ctx->data + sizeof(headers.udp) > ctx->data_end)
|
|
return SK_DROP;
|
|
|
|
if (__builtin_memcmp(&headers.udp, ctx->data, sizeof(headers.udp)) != 0)
|
|
return SK_DROP;
|
|
} else {
|
|
return SK_DROP;
|
|
}
|
|
|
|
sk_cookie_seen = bpf_get_socket_cookie(ctx->sk);
|
|
return SK_PASS;
|
|
}
|
|
|
|
SEC("sk_reuseport")
|
|
int reuse_drop(struct sk_reuseport_md *ctx)
|
|
{
|
|
reuseport_executed++;
|
|
sk_cookie_seen = 0;
|
|
return SK_DROP;
|
|
}
|
|
|
|
static int
|
|
assign_sk(struct __sk_buff *skb)
|
|
{
|
|
int zero = 0, ret = 0;
|
|
struct bpf_sock *sk;
|
|
|
|
sk = bpf_map_lookup_elem(&sk_map, &zero);
|
|
if (!sk)
|
|
return TC_ACT_SHOT;
|
|
ret = bpf_sk_assign(skb, sk, 0);
|
|
bpf_sk_release(sk);
|
|
return ret ? TC_ACT_SHOT : TC_ACT_OK;
|
|
}
|
|
|
|
static bool
|
|
maybe_assign_tcp(struct __sk_buff *skb, struct tcphdr *th)
|
|
{
|
|
if (th + 1 > (void *)(long)(skb->data_end))
|
|
return TC_ACT_SHOT;
|
|
|
|
if (!th->syn || th->ack || th->dest != bpf_htons(dest_port))
|
|
return TC_ACT_OK;
|
|
|
|
__builtin_memcpy(&headers.tcp, th, sizeof(headers.tcp));
|
|
return assign_sk(skb);
|
|
}
|
|
|
|
static bool
|
|
maybe_assign_udp(struct __sk_buff *skb, struct udphdr *uh)
|
|
{
|
|
if (uh + 1 > (void *)(long)(skb->data_end))
|
|
return TC_ACT_SHOT;
|
|
|
|
if (uh->dest != bpf_htons(dest_port))
|
|
return TC_ACT_OK;
|
|
|
|
__builtin_memcpy(&headers.udp, uh, sizeof(headers.udp));
|
|
return assign_sk(skb);
|
|
}
|
|
|
|
SEC("tc")
|
|
int tc_main(struct __sk_buff *skb)
|
|
{
|
|
void *data_end = (void *)(long)skb->data_end;
|
|
void *data = (void *)(long)skb->data;
|
|
struct ethhdr *eth;
|
|
|
|
eth = (struct ethhdr *)(data);
|
|
if (eth + 1 > data_end)
|
|
return TC_ACT_SHOT;
|
|
|
|
if (eth->h_proto == bpf_htons(ETH_P_IP)) {
|
|
struct iphdr *iph = (struct iphdr *)(data + sizeof(*eth));
|
|
|
|
if (iph + 1 > data_end)
|
|
return TC_ACT_SHOT;
|
|
|
|
if (iph->protocol == IPPROTO_TCP)
|
|
return maybe_assign_tcp(skb, (struct tcphdr *)(iph + 1));
|
|
else if (iph->protocol == IPPROTO_UDP)
|
|
return maybe_assign_udp(skb, (struct udphdr *)(iph + 1));
|
|
else
|
|
return TC_ACT_SHOT;
|
|
} else {
|
|
struct ipv6hdr *ip6h = (struct ipv6hdr *)(data + sizeof(*eth));
|
|
|
|
if (ip6h + 1 > data_end)
|
|
return TC_ACT_SHOT;
|
|
|
|
if (ip6h->nexthdr == IPPROTO_TCP)
|
|
return maybe_assign_tcp(skb, (struct tcphdr *)(ip6h + 1));
|
|
else if (ip6h->nexthdr == IPPROTO_UDP)
|
|
return maybe_assign_udp(skb, (struct udphdr *)(ip6h + 1));
|
|
else
|
|
return TC_ACT_SHOT;
|
|
}
|
|
}
|